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1. INTRODUCTION 

Optimization is the process of getting the best result from the given circumstances. Design, 
construction and maintenance of engineering systems comprises of decision making both at the managerial and 
the technological level. Goals of such decisions are to minimize the effort required or to maximize the desired 
benefit. Needs of optimization is the most cost effective or highest attainable performance under the given 
constraints, by maximizing desired factors and minimizing undesired ones. The maximization is defined as to 
obtaining more result without cost. An optimization problem is the problem of finding the best solution from 
all feasible solutions. The optimization problems are knapsack problem, traveling salesman, vehicle routing 
problem, Job Shop Scheduling, etc. 

An optimization algorithm is a process which is executed repeatedly by comparing various results 
until exact solution is found. There are two types of optimization algorithms. Deterministic Algorithms use 
specific order for changing one result to other. These algorithms are in used in some times and which is applied 
in engineering design problems. Stochastic Algorithms are achieving popularity due to certain properties with 
probabilistic translation rules. 

The bio-inspired (biologically inspired) methods have several features and advantages compared to 
conventional optimization solvers and also to solve hard-to-define (in simple expressions), real-world 
problems. These bio-inspired methods have provided novel ways of problem-solving for practical issues in 
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traffic routing, networking, games, industry, robotics, civil, water resources and others fields. The needs to go 
for bio-inspired algorithm is finding the solution for complex optimization problem based on animal behavior. 
Biologically Inspired Systems are observing animal and human behaviors and Study biological structures. 
Acquired knowledge may help us mimic nature and develop better engineering systems and machines. 
Bio-inspired computing is deal with complicated issues using computational methods. The objective 
is to produce informatics tools with enhanced robustness, flexibility, scalability and that can interface more 
effectively with humans. It is a multi-disciplinary process with based on Biology, Informatics, Cognitive 
Science, Computer Science and robotics. We study bio-inspired algorithms in security, computational 
intelligence, information retrieval, robotics, modeling and simulation, machine learning, and biology itself. 


2. PROBLEM STATEMENT 

Most of the contemporary computer security research work is based on Intrusion detection is a 
component of detection processes. It tries to identify if a host is under attack or not. HIDS (host Intrusion 
Detection System) based on location from which it collects data and anomaly based HIDS (A-HIDS). The most 
popular approach for today's HIDS is still signature based. It performs intrusion detection by searching for 
content or sequence of bytes in a single packet. This approach works well if the pattern of attacks could be 
found in advance. This approach is reliable and has low false negatives rate for detecting known attacks. 
However, it cannot detect new attacks or mutation of known attacks because have not been discovered. 
Anomaly-based detection (A-HIDS) builds models of normal behavior in a system, and attempt to identify 
attacks on deviations from the normal network activities. Anomaly-based detectors can detect new and 
completely unknown attacks but may have high false positive rates. 


3. PROPOSED SYSTEM 
3.1. Bee Stinging Behaviour 

Honey bees have three castes are queens, workers, and drones. Drones are male, while workers and 
queens are female. Queen bee will spend half period of her life for mating (i.e. Outside of hive) and remaining 
lifetime it lays eggs. It has stinger used to sting other queen bees during mating for dominance. Drone is used 
to find the queen bee only for mating, after mating it will be dead. It has no stinger. Workers develop in 21 
days. Their duties change upon the bee age in the order (birth with cleaning out their own cell after eating 
through their capped brood cell) are feed brood, receive nectar, clean hive, guard duty, scout, onlooker and 
foraging (employed bee). Some workers employ in other functional behaviors, such as "undertaking" 
(removing corpses of their nest mates from inside the hive). 

Honeybees attack only to protect their colony, but will also attack if they are continuously disturbed 
outside the nest. Typical sources of attack which motivation for honeybees to add alarm pheromone, vibrations, 
carbon dioxide, hair, and dark colors. Stinging is the eventual final act of a honeybee, because after that she 
will die. First the bee becomes alerted; she takes on a guarding stance and extends the sting that recruits other 
bees by generating alarm pheromone. Secondly, the bee will search for the origin of stimulus and conform 
towards it. Final one is she will attack; emitting a high pitched buzz sound and making body thrusts against the 
origin of disturbance. In such a protection activity, honeybees rarely pursue stimuli for long distances (pursue 
victims for hundreds of meters). If a sting occurs, then the bee will die soon, after stinging because the sting is 
left behind the predators and the bee eviscerate itself in flying away. Once the bee’s stinger is inside a victim, 
it pumps out more venom and release alarm pheromones. During this time, the stinging bee will spend its dying 
moments disturbing its victim by flying around its head as if it were going to sting (attack) again the victim. 


3.2. Bee Stinging Behaviour 

In this proposed algorithm, as it has already been mentioned, an algorithm based on the stinging 
behavior of honey bee is presented. The general steps of the proposed novel optimization algorithm based on 
bee stinging behavior are presented in Figure 1. 

The proposed algorithm is novel optimization algorithm based on the stinging behavior of honey bee. 
The novel optimization algorithm based on stinging behavior of bee is a population based search algorithm 
inspired by the natural stinging behavior of honey bee. Bees are species that adapt to the environment easily, 
so organized society is generated. The hive of the honeybee protect from many predators(Insects) such as ants, 
wasps, and other hive bees are intruders, as well as many mammals are bears, skunks, mice, and humans. The 
attack behavior of bees is protective to certain stimuli that signal the colony is in danger. 

A bee will rarely sting when it is away from the hive foraging on pollen, nectar or water and also a 
bee sting if it is handled roughly. Venom is generated from the worker's venom gland and that is stored in the 
venom sac, which is filled within 14 days after their birth. The age distribution of the bees in a hive is relevant, 
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and that colonies with many bees less than 2 weeks, whose venom sacs are not yet filled, it show relatively 
little defensive behavior. A worker stings another bee to without injury to sting, but if worker stings into any 
other thicker skin get died. 


Pseudo code of basic optimization Algorithm based stinging behavior of bee 
Initialazion 

Generate the initial population randomly. 

Assignment of the task as the guard bee. 

Sensing abnormal activities for protection of colony. 

While (sens any abnormal activities) 

Release alarm pheromone for communication with worker bees to locate and mark threat. 
If evaluate activities to be continued then 

recruit bees to sting threat 

stinging release more pheromone to increase attack. 

10. Endif 

11. Repeat the process until the disturbance is over. 

12. _ End while 


SOE GOST ONO BG Ne 


Figure 1. Pseudo code of basic optimization algorithm based stinging behavior of bee 


In the basic algorithm, the first step of the algorithm starts by worker bees being placed randomly in 
search space. The second step of the algorithm is assigning the duties to each and every worker bees. The 
worker bee contains many duties like nursing bee, hive cleaning, foraging, guard duty, etc. the algorithm mainly 
based on guard bees to protect the hive. The guard bees are used to protect the hive, queen and themselves 
from intruders (insects), mammals and other bees (robbing bees). The third step of the algorithm is based on 
the guard duty which is used to protect hive, queen, food and themselves. It is randomly checking any abnormal 
activities done form the outside of colony. If any abnormal activities are done then the guard bees are releases 
alarms pheromones to recruit the other bee to attack the intruders. All the bees are located and marker the 
intruders based on some identification like hair, smell, color, etc. If the process is continued simultaneously 
then sting the intruder which emits pheromone to recruit all bees to sting the intruders (i.e. increase the attacks). 
The process is continued until the intruder is stopped disturbance or move away from the colony. 

The first step to our model is describes hunting behavior. Worker bees duties change upon the bee age 
in the order (birth with cleaning out their own cell after eating through their capped brood cell) are feed brood, 
receive nectar, clean hive, guard duty, scout, onlooker and foraging (employed bee). Some workers employ in 
other functional behaviors, such as cleaning corpses of their nest mates from inside the hive. The initial state 
of all worker bee is the state ‘decided’ U(t), means that they are doing their duties continuously. If such an 
decided worker bee meets a living prey animal in its surrounding environment, it stings (thus kills) this prey 
and thus becomes a stinger worker bee (S(t)) for some time (tStingers). After this time period it stops stinging 
and becomes an decided worker bee U(t) again. Assumed that the higher the spatial density of prey is expressed 
by variable ‘P(t)-the faster decided worker bee encounters a living prey item and the faster it is recruited to the 
stinging task. This process of recruitment R for stinging is therefore modeled as the following Equation 1, 


Res Ostingers * YO UO (1) 


whereby aStingers is the recruitment rate of decided worker bees to stingers. The abandoning from 
the stinging task is expressed by BStingers (t) modeled as the following Equation 2, whereby. 


Bstingers = 1/Tstingers (2) 


Bstingers(t)is the abandonment rate of stinging worker bees. These considerations finally lead to 
Equation 3, which describes the dynamics of the stinger worker bee task group 


ds 
‘dt = Ostingers PO): U(H) ~ Bstingers- S(t) (3) 


As consider worker bee population as being a closed system, it can model the dynamics of the decided 
worker bee by the following Equation 4, whereby nHunters expresses the total number of hunting ants and U(t) 
expresses the number of decided worker bee: 


U(t) = nyunters — S(t) (4) 
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The number of worker bee that engage in the hunting task in the full colony population (nColony) 
depends on the colony size. Even smaller colonies have a higher number of workers engaging in hunting than 
larger colonies modeled as the following Equation 5. 


_ 0.0795 
Nyunters = Ncolony- N¢olony°2399=1.22 (5) 


3.3. Flowchart for Proposed System 

The below flow chart represent how bees are protect their hive by using stinging behavior is used in 
optimization algorithm to improve the performance of the bio-inspired algorithm. Worker bees duties change 
upon the bee age in the order (birth with cleaning out their own cell after eating through their capped brood 
cell) are feed brood, receive nectar, clean hive, guard duty, scout, onlooker and foraging (employed bee). Some 
workers employ in other functional behaviors, such as cleaning corpses of their nest mates from inside the hive. 
This section describes about stinging behavior of bee. In Honey bee colony, guard bees are monitoring the 
entrance to their hive for intruders. Guard bees are sting for three reasons. First one is intruders, Honey bees 
behave defensively when intruder are near. While monitoring, if guard bees are find intruder for example prey, 
then it will signal the intruder and also release alarm pheromone to other bees. If the process is continued, then 
it will sting the intruder. 


Queen, Drone, worker 


Task can be assigned to the 
workers such as scout, onlooker 
and employed bees 


Secure I live 


Detect any 
abnormal 
activit 


Alert Bees/Warn Source 


On occurrence 
of any disturbance, 


Ye! 


S 
Communicate with Worker Bees 
Locate and mark the threat 
Sting/attack the threat 


Increase the attack on the threat 
with release more pheromone 


Yes 


Check the 
disturbance over 
Figure 2. Flow chart of the proposed algorithm 


Second one is other hive bees; guard bees are won’t allow other hive bee because they will rob honey, 
pollen and nectar. They identify the other hive bees based on pheromone (i.e each hive contains a unique 
pheromone) by using guard bees’ sensing antennas. If other bees are continued to enter the hive then they will 
sting other bee. 

Third one is to protect our self from any other while gathering pollen and nectar. Honey bees are 
capable to sting only once. Because stingers consist of barbs and are attached to the worker’s intestine, they 
detach from the stinging bee’s body after attacking a victim. After stinging, honey bee will die soon after 
transferring its venom; pheromones released at the time of attack will alarm and stimulate other worker bees 
to attack described in the Figure 2. 


IJ-AI Vol. 7, No. 4, December 2018 : 153 — 164 


IJ-AI ISSN: 2252-8938 0 157 


4. PERFORMANCE EVALUATION 
4.1. Intrusion Detection System 

Intrusion is the set of actions that attempts to compromise integrity, confidentiality or availability of 
network resources; while an intruder is any user or group of users who initiates such intrusive action. An 
Intrusion Detection System is engineered to generate an alert when it observes potentially malicious traffic. It 
monitors packets from network connections and determines if it is an intrusive activity or not. Once an intrusion 
is detected, the IDS simply performs one of the following actions: (a) Logs in a message into system audit file 
to be later analyzed by network security experts, (b) Send email alert to a network administrators, and (c) Stops 
such connection to end an intruder's attack (as placed under Intrusion Prevention System) amongst many 
other functions. 

Intrusion Detection Systems (IDS) are security tools that provided to strengthen the security of 
communication and information systems. This approach is similar to other measures such as antivirus software, 
firewalls and access control schemes. It is divided into an anomaly detection system and signature detection 
system [3]. The signature based detection identifies traffic data which is to be dangerous attack where anomaly 
detection compares activities against a normal behavior. Hybrid intrusion detection systems combine the 
techniques of both these approaches. Each technique has its own advantages and disadvantages. The advantage 
of anomaly detection system as follows. Firstly, they are capable of detecting insider attacks. For example if 
any user is using any stolen account and perform such actions that are beyond normal profile of the user, an 
alarm will be generated by the anomaly detection system. Secondly, the detection system is based on custom 
made profiles. It becomes very difficult for an attacker to carry out any activity without setting off an alarm. 
Finally, it can detect the attacks that are previously not known. Anomaly detection systems look for anomalous 
events rather than the attacks. 

Many HIDS employ techniques for both signature and anomaly based IDS. Signature based HIDS can 
only derive from well known attacks, whereas anomaly IDS can derive from both unknown and known attacks. 
Based on this reason, I have chosen the anomaly technique in the proposed system. Basically, the anomaly 
intrusion detection technique can be categorized into three categories: 1) statistically based, 2) knowledge 
based. The traditional detection method is also as called behavioral or statistical anomaly detection. It selects 
key data about network traffic as behavior to recognize the regular activities [1]. Another anomaly technique 
is knowledge based anomaly detection which compromise of set of rules. These set of rules are the basis of the 
desired model that determine the system behavior [2]. 

Anomaly detection is also called a hybrid detection system. It is a method to detecting the patterns in 
a data knowledge whose activity is not natural on certain condition. These unexpected behaviors are also 
termed as anomalies or outliers. The anomalies are not always considered as an attack but it identifies abnormal 
behavior which is previously not known. It may or may not be harmful. The anomaly detection provides very 
significant and critical information in various applications, for example Credit card thefts or identity thefts [4]. 
Mining techniques are used to analyzing the data by predict relationship between data. These include clustering, 
classification and machine based learning techniques. Hybrid approaches are also being created in order to 
attain higher level of accuracy on detecting anomalies. In this approach the authors try to combine existing data 
mining algorithms to derive better results. Thus detecting the abnormal or unexpected behavior or anomalies 
will yield to study and categorize it into new type of attacks or any particular type of intrusions. 


4.2. Basic Methodology of Anomaly Detection Technique 
Although different anomaly approaches exists, as shown in Figure 3 parameter wise train a model 

prior to detection. 

1. Parameterization: Pre processing data into a pre-established formats such that it is acceptable or in 
accordance with the targeted systems behavior. 

2. Training stage: A model is built on the basis of normal (or abnormal) behavior of the system. It can be 
both manual and automatic. 

3. Detection stage: It is compared with the pre defined observed traffic activities with available data. If the 
deviation found exceeds (or is less than when in the case of abnormality models) from a pre defined 
threshold then an alarm will be triggered. 
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Monitored Environment 
Training 
Model (Testing) 


Detection | 


Intrusion Report 


Discard Intruder 


Figure 3. Methodology of Anomaly Detection 


4.3. OABBS Algorithm for A-HIDS 

The proposed algorithm for anomaly based host intrusion detection system (A-HIDS) which is based 
on a novel optimization algorithm based on stinging behavior of bee. The proposed algorithm is used to find 
the malicious node and discard the malicious node. The proposed algorithm mimics the guard duty of honey 
bee for monitoring and stinging behavior of honey bee for find and discard malicious node. Let ‘X’ be the 
population of ‘I’ individuals packets (indiv1, indiv2, indiv3,...indivn). The proposed algorithm consist of three 
main steps of monitoring the host, finding malicious node, and discard malicious node which is described in 
the Figure 4. 

In the monitoring phase, Initialize the “Xn’ population and ‘Dn’ generated detectors randomly 
whereby ‘n’ is the number of packet. The ‘Dn’ detectors monitoring the host and incoming ‘n’ packets (n=1, 
2, 3,...wb) and ‘T’ is the total number of detectors. The detector finds the malicious node based on the 
malicious node. The formula for ‘threshold value’ and m is the number of generated detectors. 


m fi fd 
Threshold value = Z=oHtness of detector (6) 


m 


In finding the malicious node phase, let ‘maxthershold’ is the maximum threshold value and 
‘threshold’ is the initial threshold value. If initial threshold value of the packet is greater than maximum 
threshold value then it will find the malicious node through that value. The threshold value is set or increased 
based on the anomaly behavior. Furthermore, comparing the normal behavior and anomaly behavior from host 
‘H(n)’ whereby ‘H(n)’ is the number of host. If all the condition is true (i.e found anomaly) then it will generate 
alarm ‘Aj’ to neighbor node ‘N(n)’ whereby ‘Aj’ is the number of alarm generated and ‘N(n)’ is the number 
of neighbor node. 

In discarding the malicious node phase, based on the alarm to the neighbor node will find the malicious 
node ‘A(n)’ whereby ‘A(n)’ is the number of anomaly node. After finding the anomaly node, check the 
anomaly behavior is continued based on the threshold value. If it is reached the threshold value then recruit 
nearest neighbor node to the anomaly node and store new intrusion in the records. The nearest neighbor node 
will locate and mark anomaly node then discard the anomaly node from the network. 


BEGIN 

‘X’ be the population of ‘I’ individuals 

X={indiv,, indivo, indivs,...indiv,} 
1. Initialize the population ‘X,’ randomly for threshold=0, maxthershold, Aj, H(n), N(n), A(n), m, n=1, 2, 3,...wb 
2. Initialize randomly generated detectors D, 
3. Set T=Total number of detectors 


__ Yf2o fitness of detector 


Threshold value = —— (7) 
4. Repeat the step 7 until threshold < maxthershold 
5. IF 
4.1. Compare ((H(n)=normal)V(H(n)=anomaly)) 
4.2 Ifit is anomaly then produce a alarm A; to neighbor node N(n) 
4.3 Calculate threshold value by (1) based on A; for D, 
6. ENDIF 
7. WHILE 


7.1. Check H(n)=anomaly is continued based on threshold value 
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7.2 Check threshold value by step 2. 
7.3 If the threshold value is satisfied by step 2, then 
74 Assign D,=new_intrusion 
7.5 Recruit nearest N(n) for Anomaly node A(n) by (1) 
7.6 Locate and mark the A(n) 
7.7 Discard A(n) 
7.8 Repeat until it continued by step 2 
8. END WHILE 
END 


Figure 4. Optimization Algorithm Based on Bee Stinging (OABBS) for A-HIDS 


4.4. Flowchart for A-Hids 

Initialize the entire node and it is in monitored environment by checking the threshold value of 
incoming packet and comparing the normal and anomaly behavior. 

If the entire condition is satisfied then it will generate the alarm otherwise it will allow packet to the 
host. If the threshold value of the packet is reached the maximum threshold value then recruit other nearest 
neighbor node by generating continuous alarm and also store it as a new intrusion. The neighbor nodes are 
located and mark the anomaly node. Finally discard the anomaly node form the network. This process is 
continued until the disturbance is stopped which is described in the Figure 5. 


Initialization 
Randomly Generated Detectors 
Monitored environment 


Match with 
records 


Activation threshold 
reached? 


Yes 


Figure 5. Flowchart of Optimization Algorithm Based on Bee Stinging (OABBS) for A-HIDS 


5. EXPERIMENTAL RESULTS 

In this section, to discuss our approach to evaluate the effectiveness of the proposed algorithm in 
detecting malicious activities in web server log files. Moreover, we examine the capability of the features that 
are extracted from log files to capture the properties of attributes that have been collected in Enhanced Custom 
Log file (ECL) files. 

The proposed OABBS algorithm, three different algorithms including Real-valued Negative Selection 
(RNS), Artificial Bee Colony (ABC) and Support Vector Machine (SVM) algorithm are chosen to learn the 
dataset which is generated from the ECL log files. 

Both SVM and ABC have been employed in network based IDSs. The reason that they are chosen is 
that, they proved to have high ability in detecting intrusion in the network based systems. Consider that, due 
to the independency of the detector system’s modules from the analysis and detection module, it is possible to 
change the algorithms employed in this part or use the combination of that algorithms as a new one. 

In this section different kind of metrics are measured to evaluate the ability of the algorithms to learn 
the properties of the features of the data and also detecting the malicious activities. The results are presented 
for each algorithm in analysis and detection module. 
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Generally, four situations can be assumed corresponding the relation between the result of an analysis 
for a sample event and its actual nature in an IDS. These situations include: false positive (FP), if the analyzed 
event is not an attack, but it is classified as a malicious activity; true positive (TP), if the analyzed event is 
correctly classified as intrusion; false negative (FN), if the analyzed event is malicious, but it is classified as a 
normal activity in the system; and true negative (TN), if the analyzed event is correctly classified as a normal 
activity. 


6. PERFORMANCE ANALYSIS 

The performance of proposed system can be done using Precision, Recall, F-measure, Standard 
Accuracy Rate (SAR) and Fitness Value (FV). Precision, Recall, F-measure, SAR and FV of Optimization 
Algorithm Based on Bee Stinging (OABBS) compared with Real-valued Negative Selection (RNS), Artificial 
Bee Colony (ABC) and Support Vector Machine (SVM) and the comparison results are described in Table 2 
and Table 3. 

Precision (P) is the proportion of the predicted positive cases that were correct, as calculated using the 
Equation (6). Recall or Sensitivity or True Positive Rate (TPR) is the proportion of positive cases that were 
correctly identified, as calculated using the Equation (7). The F-Measure computes some average of the 
information retrieval precision and recall metrics. An arithmetic mean does not capture the fact that a (50%, 
50%) system is often considered better than an (80%, 20%) system, as calculated using the Equation (8). 
Accuracy (AC) is directly proportion to the total number of predictions. It is determined using the 
Equation (9). Fitness value (FV) is required to determine the quality of certain classified as positive instances 
between the good and bad individuals, as calculated using the Equation (10). 


Precision= TP/( TP + FP ) (8) 


Recall= TP/( TP + EN ) 
F-measure=2 (oe) 
Precision + Recall 


Standard Accuracy Rate= (TP+TN)/(TP+FP+TN+FN) 


: TP TN 
Fitness Value=—— x —— (9) 
TP+FN “’ TN+FP 


The precision graph represents the discussed measures for each of four algorithms where when ‘n’ 
number of attacks occurs every time the IDS alarm the user for attack. It is shown that the number of precision 
percentage in the proposed work (OABBS) increases compare to SVM, ABC, and RNF since it guarantees 
alerting the user at the correct time of attack. The proposed OABBS algorithm has the highest values for 
precision while producing the least false alarm. The algorithm performs more effectively in detecting malicious 
attack when compared to other algorithms which is described in the Figure 6. 
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Figure 6. Precision of OABBS on Comparison with SVM, ABC and RNF 
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Table 1. The alarm measures for each learning algorithms. 
Sl.no Network Anomaly ABC RNF SVM OABBS 
size input 
TP FP TN FN TP FP TN FN TP FP TN FN TP FP TN’ FN 
10 5 2 4 3 5 3 3 2 4 3 2 2: 3 4 i a | 2 
10 4 7 6 10 6 6 4 8 7 4 3 6 8 De, <2) ] 
20 7 12 13 17 11 10 9 14 13 7 7 11 16 4 4 5 
50 10 5 8 5 12 7 6 3 8 8 4 2 6 9 2 1 2 
25 11 17 16 26 13 11 12 14 16 8 9 11 21 4 #4 4 
50 21 31 29 49 26 21 24 27 31 15 19 21 41 7 9 7 
100 25 12 17 13 27 13 10 12 13 17 8 8 11 27 4 #8 4 
50 22 31 26 47 26 19 24 25 33 15 17 19 43 6 7 6 
100 49 69 51 99 53 38 47 49 73 33 27 39 79 11 21 10 
500 50 23 32 27 43 26 18 24 23 36 16 14 17 46 6 4 5 
100 51 70 49 93 57 39 43 47 77 34 23 36 89 12 11 7 
200 99 133 101 169 119 80 81 97 139 59 61 57. 153 17 47°» «=I 
1000 100 53 71 47 87 59 39 41 47 79 27 21 31 91 9 9 6 
200 111 148 99 179 127 83 73 97 149 49 51 58 167 11 33 9 
500 259 343 241 389 263 169 241 197 332 103 178 117. 411 +16 81 217 
Table 2. The results of the efficiency measures for each four learning algorithms. 
ai Network Anomaly Precision Recall F-measure 
es ob SVM ABC —_RNF OABBS SVM ABC  RNF ~ OABBS SVM ABC RNF — OABBS 
5 33.33333 50 60 80 28.57143 42.85714 50 66.66667 30.76923 46.15385 54.54545 72.72727 
1 10 10 36.36364 50 63.63636 80 28.57143 42.85714 53.84615 72.72727 32 46.15385 58.33333 76.19048 
20 36.84211 52.38095 65 80 29.16667 44 54.16667 76.19048 32.55814 47.82609 59.09091 78.04878 
10 38.46154 53.84615 66.66667 81.81818 29.41176 46.66667 57.14286 81.81818 33.33333 50 61.53846 81.81818 
2 50 25 39.28571 54.16667 66.66667 84 29.72973 48.14815 59.25926 84 33.84615 50.98039 62.7451 84 
50 40.38462 55.31915 67.3913  85.41667 30 49.0566 59.61538 85.41667 34.42623 52 63.26531 85.41667 
25 41.37931 56.52174 68 87.09677 30.76923 50 60.71429 87.09677 35.29412 53.06122 64.15094 87.09677 
3 100 50 41.50943 57.77778 68.75 87.7551 31.88406 50.98039 63.46154 87.7551 36.06557 54.16667 66 87.7551 
100 41.52542 58.24176 68.86792 87.77778 33.10811 51.96078 65.17857 88.76404 36.84211 54.92228 66.97248 88.26816 
50 41.81818 59.09091 69.23077 88.46154 34.84848 53.06122 67.92453 90.19608 38.01653 55.91398 68.57143 89.32039 
4 500 100 42.14876 59.375 69.36937 88.11881 35.41667 54.80769 68.14159 92.70833 38.49057 57 68.75 90.35533 
200 42.67241 59.79899 70.20202 90 36.9403 55.09259 70.91837 93.29268 39.6 57.3494 70.55838 91.61677 
100 42.74194 60.20408 74.5283 91 37.85714 55.66038 71.81818 93.81443 40.15152 57.84314 73.14815 92.38579 
5 1000 200 42.85714 60.47619 75.25253 93.82022 38.27586 56.69643 71.98068 94.88636 40.43716 58.52535 73.58025 94.35028 
500 43.02326 60.87963 76.32184 96.25293 39.96914 57.17391 73.94209 96.02804 41.44 58.96861 75.11312 96.14035 
Table 3. The results of the efficiency measures for each four learning algorithms. 
SLno Network Anomaly SAR FV 
ae ee SVM ABC. RNF  OABBS SVM ABC _ RNF OABBS 
5 35.71429 41.66667 50 62.5 12.2449 17.14286 25 33.33333 
1 10 10 37.03704 41.66667 50 66.66667 13.18681 17.14286 23.07692  36.36364 
20 40.81633 45.45455 52.63158 68.96552 15.16667 20.84211 27.08333 38.09524 
10 33.33333 41.66667 50 71.42857 11.31222 15.55556 19.04762 27.27273 
2 50 25 38.57143 50 56.81818 75.75758 14.41441 25.12077 31.37255 42 
50 38.46154 51.02041 58.13953 78.125 14.5 26.16352 33.31448  48.04688 
25 36.23188 52.08333 56.81818 81.39535 13.33333 27.27273 30.35714 58.06452 
3 100 50 38.09524 53.19149 59.52381 80.64516 14.54361 28.45417 33.71394  47.25275 
100 37.31343 53.47594 58.13953 82.64463 14.07095  28.73126 29.33036 58.2514 
50 40 54.94505 60.24096 81.96721 15.94761 30.3207 31.69811 36.07843 
4 500 100 38.02281 53.76344 58.82353 84.03361 14.58333 28.74062 27.49573 44.33877 
200 39.84064 53.0504 63.29114 87.7193 15.94432 27.71739 36.05017  68.51181 
100 38.75969 53.76344 63.29114 86.95652 15.07869 28.52594 31.42045 46.90722 
5 1000 200 39.10615 52.63158 65.14658 90.90909 15.34134 26.53102 36.71014 71.16477 
500 40.58442 57.93103 69.86301 93.71429 16.49411 33.6071 46.83876 _80.18836 


The recall graph represents the discussed measures for each of four algorithms where when ‘n’ number 
of attacks occurs. The SVM and REN are performing quite the same and they can excel the ABC algorithm in 
detecting attacks correctly and not producing incorrect alarms. The proposed OABBS algorithm has the highest 
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values for recall while producing the least false alarm. It is shown that the number of recall percentage in the 
proposed OABBS algorithm has highest value in compare to SVM, ABC, and RNF. The algorithm performs 
more effectively in detecting malicious attack when compared to other algorithms which is described 
in the Figure 7. 
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Figure 7. Recall of OABBS on Comparison with Figure 8. F-measure of OABBS on Comparison 
SVM, ABC and RNF with SVM, ABC and RNF 


However, the Figure 8 shows that the false alarm rate generated by the ABC algorithm is slightly 
smaller compared to that of RFN. Moreover, the recall and the precision, and hence the F-measure 
corresponding to ABC exceed that of RFN. As a result, that the proposed OABBS algorithm is performing 
more effectively in detecting malicious activities compared to other three algorithms which is described 
in the Figure 8. 

In additions, the proposed OABBS algorithm has the highest values for Standard Accuracy Rate 
(SAR) while producing the least false alarm. As a result, that the proposed OABBS algorithm is performing 
more effectively in detecting malicious activities compared to other three algorithms which is described 
in the Figure 9. 

As suggested by this Figure 10, the SVM and RFN are performing quite the same and they can excel 
the ABC algorithm in detecting attacks correctly and not producing incorrect alarms. As a result, that the 
proposed OABBS algorithm is performing more effectively for fitness value in detecting malicious activities 
compared to other three algorithms. 
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7. DISCUSSION 

In this section we summarize the obtained results from the evaluation mechanism presented in 
previous sections. As discussed earlier, the execution time of the RNF is too higher than that of the ABC 
algorithm and SVM. Furthermore, we can see that the ABC is the fastest algorithm in building the normal 
model and detecting anomalies. Also, the proposed OABBS algorithm has a mediocre execution time. 


IJ-AI Vol. 7, No. 4, December 2018 : 153 — 164 


IJ-AI ISSN: 2252-8938 o 163 


The errors of the predicted values for the ABC algorithms are the highest among all three algorithms, 
indicating how ABC is performing poorly in predicting the values for sample data. RNF is performing more 
accurately in predicting the values corresponding to data samples. Finally, the SVM, with a slight difference 
from MLP, is performing quite powerfully in predicting the values for data samples. 

On the other hand, from the efficiency point of view, the proposed OABBS algorithm is performing 
more powerfully in detecting anomalous behaviors with generating fewer mistaken alarms compared to other 
three learning algorithms. As the results of Table 2 suggest, the ability of the ABC and RNF are quite the same. 
Furthermore, we can conclude that the SVM algorithm is performing poorly in detecting attacks, although it is 
the fastest algorithm. 

To sum up, from both the cost (execution time) and the efficiency points of view, the proposed 
OABBS algorithm can be selected as the best choice for the analysis and detection module among the other 
three algorithms discussed in this paper. 


8. CONCLUSION 

The proposed systems introduce a novel optimization algorithm based on the stinging behavior of 
honey bee to Anomaly based Host Intrusion Detection System (A-HIDS). The performance of the proposed 
Anomaly based Host Intrusion Detection System (A-HIDS) using novel optimization algorithm based stinging 
behavior of bee has been compared Real-valued Negative Selection (RNS), Artificial Bee Colony (ABC) and 
Support Vector Machine (SVM). The experimental result showed that the proposed method can outperform 
than exiting system and is suitable for the host intrusion detection 
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